Professional Documents
Culture Documents
Access Control List in Linux
Access Control List in Linux
Bi vit cung cp nn tng v chc nng chnh ca ACLs trong h thng file ca Linux. Bn cng s
hc c cch m rng cc khi nim permissions truyn thng vi ACLs v nhng thun li trong
vic cung cp khi nim ny.
I. Thun li ca ACLs
Thng thng 1 file trong Linux c 3 quyn: r, w, x vi 3 nhm ngi dng: owner, group, other. 9
bits ny c s dng xc nh c tnh cho tt c cc h thng file trong Linux. Thm vo ,
SUID, SGID, sticky bit c th c dng trong cc trng hp c bit.
ACLs c s dng trong trng hp m cc khi nim permission ca file thng thng khng c
hiu lc. Chng cho php gn quyn cho mt ngi, hoc mt nhm c nhn thm ch khng tng
ng vi owner hoc owning group. ACLs h tr cc h thng file ReiserFS, Ext2, Ext3, JFS, XFS.
Bn c th thy r thun li ca ACLs khi thay th 1 server chy Windows bng 1 server chy
Linux. Mt s trm kt ni vn c th chy trn Windows ngay c sau khi chuyn i. H thng
Linux s chuyn cc file v dch v v clients chy windows vi Samba. Samba cng h tr ACLs
v lc quyn ca ngi dng c th c cu hnh trn c Linux v Windows bng GUI.
winbindd cn c kh nng gn quyn cho user ch tn ti trn Windows domain m ko c account
no trn Linux server. Mt khc bn c th chnh sa ACLs vi getfacl v setfacl
II. nh ngha
POSIX s dng 3 lp ngi dng gn quyn cho h thng file.
-
Default ACL: ch p dng cho th mc. Chng xc nh quyn k tha t th mc cha khi
c to.
ACL entry: Mi ACL s bao gm 1 tp hp ACL entries. Mt ACL entry s cha 1 loi, 1
hn nh m user hoc group n tham chiu n, v mt tp hp cc quyn.
To file
Chnh ACL
Dng masks
Sau to mydir:
$ mkdir mydir
Sau khi to mydir hy dng ls -dl kim tra li l quyn c gn chnh xc:
$ ls -dl mydir/
drwxr-xr-x 2 quanta quanta 4096 2007-12-29 22:53 mydir/
Kim tra trng thi khi u ca ACL v chn mt new user v new group entry
$ getfacl mydir/
# file: mydir
# owner: quanta
# group: quanta
user::rwx
group::r-x
other::---
u tin hy th chnh sa bng cch: gn quyn c, ghi, thi hnh cho user kitty v group friends:
$ setfacl -m user:kitty:rwx,group:friends:rwx mydir/
user::rwx
user:kitty:rwx
group::r-x
group:friends:rwx
mask::rwx
other::---
Ngoi cc entries khi to cho user kitty v group friends, mask entry cng c to ra. mask entry
ny c gn t ng gim thiu s lng cc entries trong group class gi tn thng thng.
mask nh ngha quyn truy cp c hiu lc ln nht cho tt c cc entries trong group class: named
user, named group, owning group. Do , mask entry tng ng vi bit quyn ca group class c hin th bng lnh ls -dl
$ ls -dl mydir/
drwxrwx---+ 2 quanta quanta 4096 2007-12-29 22:53 mydir/
#effective:r-x
group::r-x
group:friends:rwx
#effective:r-x
mask::r-x
other::---
Tt c cc h thng to file u s dng mode parameter nh ngha quyn truy cp cho file mi
c to:
-
Nu th mc khng c default ACL,mt s giao nhau gia cc quyn trong mode parameter
v trong umask hin ti s c to v gn cho i tng
Nu default ACL tn ti trong th mc cha, bit quyn c xc nh theo s giao nhau gia
gi tr ca mode parameter v quyn nh ngha trong default ACL, v c gn cho i
tng.
Tu chn -d s nhc setfacl thc hin mt "chnh sa" trn default ACLs
Xem kt qu ca lnh ny:
$ getfacl mydir/
# file: mydir
# owner: quanta
# group: quanta
user::rwx
user:kitty:rwx
#effective:r-x
group::r-x
group:friends:rwx
#effective:r-x
mask::r-x
other::--default:user::rwx
default:group::r-x
default:group:friends:r-x
default:mask::r-x
default:other::---
# group: quanta
user::rwx
group::r-x
group:friends:r-x
mask::r-x
other::--default:user::rwx
default:group::r-x
default:group:friends:r-x
default:mask::r-x
default:other::---
#effective:r--
group:friends:r-x
#effective:r--
mask::r-other::---